Technology & Security

HIPAA Technology & Security FAQ

Cloud Storage, Email, Remote Work, Encryption, and Device Security for Healthcare

10 questions covering the technology and security topics healthcare organizations ask about most — including cloud storage, Gmail, Outlook, texting PHI, remote work policies, and the safeguards that matter most.

Read the FAQ Talk to a HIPAA Consultant
10 Questions Answered

Technology & Security FAQ

Cloud, Email & Messaging

Yes. Cloud storage may be used under HIPAA when appropriate technical, administrative, and physical safeguards are implemented to protect protected health information. Your cloud vendor must sign a Business Associate Agreement (BAA) before storing any ePHI.

A standard Gmail account is not automatically HIPAA compliant. Certain Google Workspace plans may support HIPAA compliance when properly configured and accompanied by the appropriate agreements. See our BAA FAQ for details on which vendors require a Business Associate Agreement.

Microsoft Outlook can be used in a HIPAA-compliant manner when appropriate safeguards are implemented to protect electronic protected health information both at rest and in transit.

Organizations should not assume standard SMS messaging is appropriate for transmitting protected health information. Specialized solutions exist that are designed to support HIPAA-compliant messaging workflows.

Protected health information may be transmitted through email when appropriate safeguards, such as encryption, are implemented.

Remote Work & Device Security

Yes. Remote work is permissible provided the organization continues to protect its administrative, physical, and technical safeguards. Organizations should address remote work scenarios in their HIPAA policies and ensure staff complete HIPAA training that covers remote work procedures.

In some circumstances, yes. Organizations should consider encryption, access controls, physical security, remote wipe capabilities, and workforce policies before allowing protected health information to be accessed on home devices. A Security Risk Assessment helps identify these risks and determine what controls are needed.

Technology Best Practices

Failing to encrypt systems, devices, and information whenever practical. Encryption gaps are one of the most common findings in a HIPAA Gap Analysis.

Encryption remains one of the most overlooked and underutilized safeguards available to healthcare organizations.

Organizations should focus on technologies that improve visibility, security, and incident awareness. Even simple solutions that notify staff of unexpected activity can provide meaningful operational benefits when used appropriately.

One Guy Consulting helps healthcare organizations evaluate their technology safeguards as part of the Security Risk Assessment process. Our HIPAA Gap Analysis identifies technical, administrative, and physical safeguard deficiencies.

Need Help Evaluating Your Technology Safeguards?

Book a free 30-minute intro call. We will review your technology environment, identify security gaps, and explain what safeguards your organization needs.

Book Your Free Intro Call
Related Reading

More HIPAA FAQ Resources

One Guy Consulting

Explore Our HIPAA Compliance Services

Security Risk Assessment HIPAA Gap Analysis Policy Templates HIPAA Staff Training BAA Management Vendor Management